Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 892466 - Last Review: May 18, 2007 - Revision: 2.3
How to run a user control assembly that is hosted on Internet Information Services (IIS) in Internet Explorer
This article discusses how to run a user control assembly that is hosted on Microsoft Internet Information Services (IIS) in Microsoft Internet Explorer.
Note
The following information applies to an assembly when you intend to run the assembly by using more permissions than would ordinarily be granted to the zone that the assembly belongs to. Typically this zone is the Internet, Local Intranet, or Trusted sites zone.
To load a user control assembly in Internet Explorer, you must follow several steps. Otherwise, you may receive security exceptions when you try to load the assembly. To run the user control assembly in Internet Explorer, make sure that the following conditions are met in this order:
- The user control assembly is identifiable. You can use this identification to set the membership condition in a code group by using either the .NET Configuration Tool (Mscorcfg.msc) or the Code Access Security Policy Tool (Caspol.exe). We recommend that you sign the assembly by using a strong name or a certificate. However, you can also use other sources of identity, such as a URL or a site. A URL or a site can serve as a membership condition. However, we do not recommend that you use a URL or a site because they are less secure than a strong name or a certificate.
Use the Strong Name tool (Sn.exe) that is included with the Microsoft .NET Framework Software Development Kit (SDK) to generate a cryptographic key pair. To generate a key pair and to store the key pair in a file that is named KeyPair.snk, type the following command at a command prompt: sn -k KeyPair.snk
Note The strong name key is used to create a code group that grants permissions to the assembly.
Sign the assembly by including the following assembly-level attribute in the source code file (AssemblyInfo):[assembly: AssemblyKeyFile("KeyPair.snk")]
- If the user control is strong named, the user control must have the AllowedPartiallyTrustedCallers attribute. The AllowedPartiallyTrustedCallers attribute requires that the assembly be signed by using a strong name key.
This attribute is required because the control is called by either an Intranet Web page or an Internet Web page that is running under restricted permissions. The fully attributed assembly should be similar to the following:
[assembly: AssemblyKeyFile("snKey.snk")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly:AllowPartiallyTrustedCallers]
namespace SignedAssembly
- The user control must assert permissions that it requires to the zone in which the user control is running. Typically, these permissions would not be granted. Permissions should only be asserted if you know that the calling application has insufficient permissions. Asserts should not be performed without a strong requirement. The following code example shows how to use the FileIOPermisson.Assert method.
new FileIOPermission(PermissionState.Unrestricted).Assert();
textBox1.Text = fileDialog.FileName;
// Display the contents of the file in the text box.
FileStream fsIn = new FileStream(textBox1.Text, FileMode.Open, FileAccess.Read, FileShare.Read);
StreamReader sr = new StreamReader(fsIn);
// Process every line in the file.
for (String Line = sr.ReadLine(); Line != null; Line = sr.ReadLine())
{
listBox1.Items.Add(Line);
}
- The user control must revert asserts immediately after it performs the asserted actions.
Important You must call the RevertAssert method to restore the stack walk for file operations. To do this, use the following code example.FileIOPermission.RevertAssert();
- The user control must be hosted in an IIS folder that has the Execute permission option set to either None or Scripts Only.
- The client must have a code group to which the assembly resolves. This code group grants the permissions that the assembly requires.
For example, use the following command to create a code group for an assembly:
caspol –machine –addgroup All_Code –strong –file SignedAssembly.exe -noname -noversion FullTrust –name YourCompanyStrongName –description "Code group granting trust to code signed by YourCompany"
Note You can also create the code group by using the Microsoft .NET Framework Configuration tool (Mscorcfg.msc). To use Mscorcfg.msc, open Administrative Tools in Control Panel. Then, double-click Microsoft .NET Framework Configuration.
- If Internet Explorer Enhanced Security Configuration has been enabled for both the Administrators group and the Other Groups group on the computer that is running IIS, make sure that the Do not save encrypted pages to disk option is not selected on the Advanced tab in the Options dialog box in Internet Explorer. By default, the Internet Explorer Enhanced Security setting is enabled in Windows Server 2003. When this option is enabled, downloaded files are encrypted. Another feature is that the Do not save encrypted pages to disk option is selected automatically on the client. To successfully download a user control under these conditions, the client setting for the Do not save encrypted pages to disk setting must be cleared. To make sure the Do not save encrypted pages to disk is not selected, following these steps:
- In Internet Explorer, click Tools, and then click Internet Options.
- In the Internet Options dialog box, click the Advanced tab.
- Locate and then click to clear the Do not save encrypted pages to disk check box, and then click OK.
- Make sure that the run-time version of the .NET Framework that is on the host computer is compatible with the run-time version that is used to compile the assembly.
- Make sure that the code group that was created for the user control is in the same .NET Framework run-time version that the control uses.
If you experience problems, you can enable extended error logging in Internet Explorer.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
313892Â
(http://kbalertz.com/Feedback.aspx?kbNumber=313892/
)
How to use the IEHost log to debug .NET object hosting in Internet Explorer
For more information about the .NET Framework security policy model, visit the following Microsoft Developer Network (MSDN) Web site:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
302340Â
(http://kbalertz.com/Feedback.aspx?kbNumber=302340/
)
How to create an assembly with a strong name in .NET Framework SDK
APPLIES TO
- Microsoft .NET Framework 1.1
- Microsoft .NET Framework 1.0
| kbconfig kbhowto kbinfo KB892466 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please